Let’s Encrypt uses CAA to determine whether they’re allowed to issue certificates for a domain name.
You don’t need a CAA record for your domain (IIRC even SERVFAIL or REFUSED would be fine), but a timeout is treated as an error. This seems to have recently been fixed in PowerDNS, but I’m not sure if it has been included in a release yet.
I’m also using PowerDNS 3.x and have no CAA record defined and I’m issuing certificates with no problem at all.
A couple of hours ago Let’s Encrypt performed an update in boulder side and after that they detected several errors due a hardware failure, maybe you tried to issue your cert during that time frame, it’s worth to try again now that seems that problem has been resolved.